Insiders, you gotta watch 'em

It is a pretty common theme of my Cyber Crime Scenario presentation that insiders are a risk. The more so because markets for data, especially credit card info, are making it possible for just about anay knowledge worker with access to data to rob you.

But the real damage comes from the clever insider that figures out your business operations and a way to hack them. Accounting fraud has been around since the invention of commerce and many controls have been put in place to lower the risk associated with white collar crime. Using IT resources is just an extension of what has gone before.

The latest case: an insider at an online poker site figures out how to beat the house using his access to the internal systems. Cost to the company? $1.6 million.

The company's response seems appropriate. They figured out every player that had lost money while playing against the insider's hands and reimbursed them. I am interested in what the cost to Absolute Poker was in lost revenue due to loss of trust in the honesty of their systems. (Just a reminder to US citizens that online gaming is illegal for them).

When I was a white hat hacker for PricewaterhouseCoopers there was one realization that came quickly. Given three or four days insider access to any organization we could figure out how to steal from them. Controls must extend beyond the financial systems and be deployed systemically throughout IT.